Modern Wi-Fi networks and devices connected to them could now potentially be hacked – as Mathy Vanhoef, a researcher from Belgian university KU Leuven released information about a WPA security flaw. This bug is the first to be found in 14 years of the modern encryption techniques that have been used to secure Wi-Fi networks – techniques designed to protect data – preventing eavesdropping and the injection of malicious code – as it travels from the user’s device to a router.
For those interested in more technical details and a demonstration, the researcher has published them on his website: Krackattacks
In his Introduction he mentions:
„This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
So, what we can do?
- Until all routers have been patched, you should treat ALL Wi-Fi networks as insecure. Make sure you have a password on your Wi-Fi network – if you haven’t had one, set it ASAP.
- Update your Wi-Fi software – on your mobile devices as well as on your routers! Check the website of the manufacturer to find out how to patch your device. Updates may not yet be available for all devices, but many major manufacturers already scheduled it.
- The „Krack attacks” affect secure networks relying on a bug in the „handshake” between the device and the router to insert a new „key” that can decrypt communications, potentially stealing sensitive information like passwords and credit card data.
- Most banking and e-commerce websites use https encryption – a technique which protects you from this flaw. Make sure you only give your credit card data where you see „https:” and a little padlock next to the URL of the website.
- If you want to ensure the security of your data when using Wi-Fi, you should use a „virtual private network” (VPN)
According to Alan Woodward, professor of the University of Surrey’s Centre for Cyber security, the only way to fix the flaw would be to manually patch or replace every router in people’s homes. He says while the attack is not technically easy at the moment, tools would soon be developed which could make exploitation of the vulnerability scalable.
We think KRACK is a client-side attack, so it should be addressed on the client side. It CAN be mitigated by mass-patching routers, but that’s much less feasible than patching the clients (patching an android phone vs a 20-year-old router).
We expect other Wi-Fi vulnerabilities will be discovered based on the concepts introduced by KRACK, so stay tuned – and develop a defensive programming mindset to keep your software secure!